extensibility, safety and performance in the spin operating system b. n. bershad, s. savage, p....
Post on 19-Dec-2015
214 views
TRANSCRIPT
Extensibility, Safety and Extensibility, Safety and Performance in the Performance in the
SPIN Operating SPIN Operating SystemSystem
B. N. Bershad, S. Savage, P. B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. E. Pardyak, E. G. Sirer, M. E.
Fiuczyski, D. Becker, C. Chambers, Fiuczyski, D. Becker, C. Chambers, S. EggersS. Eggers
Presenter: Judy FischbachPresenter: Judy Fischbach
ContributionsContributions
New extensible OS system (SPIN)New extensible OS system (SPIN) It allows applications to change OSIt allows applications to change OS
– InterfaceInterface– ImplementationImplementation
It uses languages and link-time mechanismsIt uses languages and link-time mechanisms– To export fine grain interfacesTo export fine grain interfaces
Type safe language used for extensionsType safe language used for extensions Extensions dynamically linked into OS Extensions dynamically linked into OS
kernelkernel
IntroductionIntroduction
Desire: To match applications with Desire: To match applications with operating system implementation or operating system implementation or interfaceinterface
[Von Eicken et al ’92][Von Eicken et al ’92]– High performance parallel apps don’t High performance parallel apps don’t
work well with network protocol work well with network protocol implementations.implementations.
[Stonebraker ’81] [Stonebraker ’81] – Database apps perform poorly with disk Database apps perform poorly with disk
buffering/paging algorithms in OSbuffering/paging algorithms in OS
Goals and ApproachGoals and Approach
Spin relies on four techniques:Spin relies on four techniques:– Co-locationCo-location– Enforced modularityEnforced modularity– Logical protection domainsLogical protection domains– Dynamic call bindingDynamic call binding
The language and runtime provide The language and runtime provide support for these techniquessupport for these techniques
SPIN System OverviewSPIN System Overview
Executes in kernel’s virtual Executes in kernel’s virtual address spaceaddress space
Provides a set of extension and Provides a set of extension and core system servicescore system services
Dynamically loads into kernel Dynamically loads into kernel Written in Modula-3Written in Modula-3
MotivationMotivation
System structures are not setup System structures are not setup well for specialization and can be well for specialization and can be costlycostly
Why extensible?Why extensible?– The system can be dynamically be The system can be dynamically be
changed to meet needs of a specific changed to meet needs of a specific applicationapplication
Related WorkRelated Work
Hydra [Wulf et al ’81]Hydra [Wulf et al ’81] Microkernels [Bershad et al ‘90]Microkernels [Bershad et al ‘90] Cross-Domain Communication Cross-Domain Communication
[Hamilton & Kourgiouris ’93][Hamilton & Kourgiouris ’93] ““Little Languages” [Lee et al ’94]Little Languages” [Lee et al ’94] Code install in kernel at runtime Code install in kernel at runtime
[Heidemann & Popek ’94][Heidemann & Popek ’94]
Related WorkRelated Work
Software Fault Isolation [Wahbe Software Fault Isolation [Wahbe et al ’93]et al ’93]
Aegis [Engler et al ’95]Aegis [Engler et al ’95] Systems using language features Systems using language features
(like SPIN) to extend operating (like SPIN) to extend operating system services [Cooper et al ’91]system services [Cooper et al ’91]
SPIN ArchitectureSPIN Architecture
Two Models
Protection Extension
Protection ModelProtection Model
Controls set of operations that Controls set of operations that can be used with resourcescan be used with resources
Capabilites, what are they?Capabilites, what are they?– Definition: Definition:
An unforged reference to a resource An unforged reference to a resource
– Implemented using PointersImplemented using Pointers– Pointer Definition: Pointer Definition:
A reference to a memory block whose A reference to a memory block whose type is defined within an interfacetype is defined within an interface
Example: Definition and use Example: Definition and use of interfaces/capabilities in of interfaces/capabilities in
SPINSPINref: Figure 1 of SPIN paperref: Figure 1 of SPIN paper
INTERFACE Console; (* An Interface. *)TYPE T <: REFANY; (* Read as “Console.T is opaque” *)
CONST InterfaceName = “ConsoleService” (* A global name *)
PROCEDURE Open(): T; (* Open returns a capability for the console. *)PROCEDURE Write(t: T; msgs: TEXT);PROCEDURE Read(t: VAR; msg: TEXT);PROCEDURE Close(t: T);END Console;
MODULE Console; (* An Implementation module *)
(* The implementation of Console.T *)TYPE Buf = ARRAY [0..31] OF CHAR;REVEAL T = BRANDED REF RECORD (* T is a pointer *)
inputQ: Buf; (* to a record *)outputQ: Buf;(* device specific info *)
END;
(* Implementations of interface functions *)(* have direct access to the revealed type *)PROCEDURE Open(): T = …END Console;
MODULE Gatekeeper; (* A client *)IMPORT Console;
VAR c: Console.T; (* A capability for *) (* the console device *)
PROCEDURE IntruderAlert() = BEGIN c := Console.Open(); Console.Write(c, “Intruder Alert”); Console.Close(c); END IntruderAlert;
BEGINEND Gatekeeper;
Protection DomainsProtection Domains
Generally, it is the set of accessible Generally, it is the set of accessible names available to an execution names available to an execution contextcontext
But different for SPINBut different for SPIN– Name and protection interface is at Name and protection interface is at
language level, not at virtual memorylanguage level, not at virtual memory– A protection domain defines the set of A protection domain defines the set of
names that can be referenced by code names that can be referenced by code with access to that domainwith access to that domain
More about DomainsMore about Domains
Domain can be intersecting or Domain can be intersecting or disjointdisjoint
OperationsOperations– Create: Initializes domainCreate: Initializes domain– Resolve: Matches symbols between Resolve: Matches symbols between
target and those exported from sourcetarget and those exported from source– Combine: Creates linkable namespaces Combine: Creates linkable namespaces
that consist of union of existing domainsthat consist of union of existing domains
Domain Interface Domain Interface ref: Figure 2 of SPIN paperref: Figure 2 of SPIN paper
INTERFACE Domain;
TYPE T <: REFANY; (* Domain.T is opaque *)
PROCEDURE Create (coff:CoffFile.T):T;
PROCEDURE CreateFromModule():T;
PROCEDURE Resolve(source, target: T);
PROCEDURE Combine (d1, d2: T): T;
END Domain.
Extension ModelExtension Model
Provides Provides – controlled communication between controlled communication between
extension and systemextension and system As an example, extension could…As an example, extension could…
– Monitor system activityMonitor system activity– Send peformance information to Send peformance information to
applications applications Extensions = Events + HandlersExtensions = Events + Handlers
More about Extensions…More about Extensions…
Central Dispatcher
Extension
RegistersEvent Handler with
Event Name
Message sent to announce change in
system state or
To request service
Event
Primary Implementation
Module
OtherModules
Passes Event Name
If allowed,GUARD can be associated with
handler
Can request to install addl handlers or replace primary
handler
SPIN Core ServicesSPIN Core Services
Extensible Memory ManagementExtensible Memory Management– Physical storagePhysical storage– NamingNaming– TranslationTranslation
Extensible Thread ManagementExtensible Thread Management– StrandsStrands
Physical Address ServicePhysical Address Service
Controls use and allocation of pagesControls use and allocation of pages AllocateAllocate eventevent
– Requests physical memory Requests physical memory – Size specifiedSize specified– Optional attributes specifiedOptional attributes specified
DeallocateDeallocate eventevent– Given pointer p to memory, frees physical Given pointer p to memory, frees physical
memorymemory ReclaimReclaim eventevent
– Reclaims a candidate pageReclaims a candidate page
Virtual Address ServiceVirtual Address Service
Allocates capabilities for virtual Allocates capabilities for virtual addressesaddresses
Capability’s referent hasCapability’s referent has– Virtual addressVirtual address– LengthLength– Address Space IdentifierAddress Space Identifier
Interface has procedures Interface has procedures AllocateAllocate and and DeallocateDeallocate
Translation ServiceTranslation Service
Expresses relationship between Expresses relationship between virtual address and physical virtual address and physical memorymemory
Interprets 2 referencesInterprets 2 references– to virtual addressesto virtual addresses– to physical addressesto physical addresses
Constructs a map between themConstructs a map between them Installs this map in the MMUInstalls this map in the MMU
StrandsStrandsref: Figure 4 of SPIN paperref: Figure 4 of SPIN paper
INTERFACE Strand;
TYPE T <: REFANY; (* Strand.T is opaque *)
PROCEDURE Block (s:T);
PROCEDURE UnBlock(s:T);
PROCEDURE Checkpoint(s:T);
PROCEDURE Resume (s:T);
END Domain.
System PerformanceSystem Performance
Four Perspectives:Four Perspectives: System SizeSystem Size MicrobenchmarksMicrobenchmarks Networking Networking End-to-end performaneEnd-to-end performane
System component sizesSystem component sizes
Microbenchmarks: Microbenchmarks: Protected communicationProtected communication
Microbenchmarks: Microbenchmarks: Thread ManagementThread Management
Microbenchmarks: Microbenchmarks: Virtual MemoryVirtual Memory
Structure of Network Structure of Network StacksStacks
Microbenchmarks: Microbenchmarks: Network Latency and Network Latency and
BandwidthBandwidth
Ethernet and ATM applications using UDP/IP for both OSF/1 and SPIN
Microbenchmarks: Microbenchmarks: Network Protocol Network Protocol
ForwardingForwarding
End to End PerformanceEnd to End Performance
Other Issues: Other Issues: Scaling and DispatchScaling and Dispatch
Roundtrip Ethernet latencyRoundtrip Ethernet latency– Measures 565 Measures 565 μμss
50 GUARDs register interest in UDP 50 GUARDs register interest in UDP pkt and all GUARDs evaluate to falsepkt and all GUARDs evaluate to false– Measures 585 Measures 585 μμss
These same 50 GUARDs evaluate to These same 50 GUARDs evaluate to truetrue– Measures 637 Measures 637 μμss
Other Issues:Other Issues:Automatic Storage Automatic Storage
ManagementManagement SPIN uses trace-based mostly-SPIN uses trace-based mostly-
copying garbage collectorcopying garbage collector
None of previous measurement None of previous measurement benchmarks change if garbage benchmarks change if garbage collection disabledcollection disabled
Other Issues: Extension Other Issues: Extension SizesSizes
ConclusionsConclusions
SPIN achieves performance, without SPIN achieves performance, without sacrificing safetysacrificing safety
Enables an efficient way to extend Enables an efficient way to extend services along with basic set of core services along with basic set of core services services
Programming languages with the Programming languages with the appropriate feature support can be appropriate feature support can be used to construct future operating used to construct future operating systemssystems